[cactus2093]

> You have poor architecture, poor tagging, poor VPC design, poor IAM policy and role modelling or don't know what you are doing to start with.

I would flip it around and say that historically AWS has had extremely inconsistent architecture and IAM policy design that can make it very hard, sometimes impossible, to do it the "right way".

The nice thing about using separate accounts is you don't have to get into as many of the hairy weeds and the permissions you end up might end up being much simpler to create and then also to maintain down the road, since everything is isolated by default and then you allowlist only the things you need.

I don't see why you would frame this as "you fucked up" in your design.

[malfist]

Even if it only protects you from fuck ups, isn't that part of good design? People WILL make mistakes, limiting the blast radius of a fuck up is important.

[gw99]

Historically yes. Your job is to evolve this configuration as security controls improve. It's not a fire and forget process, it's continuous improvement.

[cameronh90]

Or you can just use multiple accounts, which makes things a whole bunch easier.

Frankly, AWS is just missing a level of abstraction here. Azure has resource groups, Gcloud has projects. An AWS account now is just used instead of those concepts, despite it being heavyweight and awkward to do so.

[nijave]

There's plenty of tools to automate the creation and management of new accounts. The biggest hurdle afaik is there's no automated way to delete an account

Azure also has higher-level subscriptions

[cameronh90]

It does, but account creation is kind of slow, and the whole control tower / SSO / etc. stuff is fairly janky. Clearly Amazon have been trying to make the account a more common level of isolation for some time and it's improving, but it's still not fantastic. Support also still has a minimum monthly pricing and isn't cross-account.

[rcrowley]

AWS recently added the organizations:CloseAccount API (albeit with some caveats discussed elsewhere in this comment tree).